Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Win32.trats!inf

Started by mucksava , Feb 17 2008 12:17 PM

  • This topic is locked This topic is locked
9 replies to this topic

#1 mucksava

mucksava

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 17 February 2008 - 12:17 PM

My norton's keeps coming up with win32.trats infection that it can't seem to get rid of. I ran Nortons in in safe mode and downloaded other anti-spyware cleaners, but the thing keeps coming back and seems to be infecting other programs. Popups keep coming up and windows installer also seems to pop up all the time. below is by Hijack this Log: I would really appreciate any help with this.

Logfile of HijackThis v1.99.1
Scan saved at 12:57:19 PM, on 2/17/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\F?nts\j?vaw.exe
C:\Program Files\Compaq A3000\CPQA3000.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Megan Wolfe\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.upenn.edu/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape6%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Megan Wolfe\Application Data\Mozilla\Profiles\default\g88i87zx.slt\prefs.js)
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\ActiveX\ACROIE~1.OCX
O2 - BHO: (no name) - {07C7156E-D651-4ACC-9AD3-498C916E9651} - C:\WINDOWS\System32\hggfede.dll
O2 - BHO: (no name) - {A5FD69B2-D14C-4F2B-8A48-61A1714D0F25} - C:\WINDOWS\System32\ddcdc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [WinVNC] "C:\vnc\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Acut] "C:\DOCUME~1\MEGANW~1\APPLIC~1\FNTS~1\wuauboot.exe" -vt yazb
O4 - Global Startup: Compaq A3000 Settings Utility.lnk = C:\Program Files\Compaq A3000\CPQA3000.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\samnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\samnsp.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\PLUGINS\NPDocBox.dll
O15 - Trusted Zone: http://mwebpah.uphs.upenn.edu
O16 - DPF: Cab-package - http://uphsnet.uphs....vex/mv_cert.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1203260859339
O16 - DPF: {6FE450DC-AD32-48D4-A366-01EE7E0B1374} - http://uphsnet.uphs....vex/capicom.cab
O16 - DPF: {86ecb6a0-400a-11d5-b638-00c04faedb18} -
O16 - DPF: {A8B3A7FE-9C8D-4F15-9B01-8805BDF43B1B} (AMI Pictorial Control CWeb 2.1 SPa06) - http://cenweb.uphs.u...l/amiviewer.cab
O16 - DPF: {D98F5BFB-D1E2-428F-B415-64DE948DE12D} - http://cenweb.uphs.u...l/amiviewer.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://extranet.uph...uniperSetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E7477E7-86C8-42C2-8695-D412071F139F}: NameServer = 71.242.0.12 71.250.0.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{D7E1ACC9-8671-4D19-89D9-53388D88E34A}: NameServer = 128.91.2.13,128.91.254.1,128.91.254.4
O20 - Winlogon Notify: hggfede - C:\WINDOWS\SYSTEM32\hggfede.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\vnc\WinVNC.exe" -service (file missing)

    Advertisements

Register to Remove

#2 Simon V.

Simon V.

    MRU Emeritus

  • Authentic Member
  • PipPipPipPip
  • 897 posts

Posted 18 February 2008 - 11:27 AM

Hello, and welcome to the forum.

My name is Simon V., and I'll be glad to help you with your computer problems.

Please download and install CCleaner.

Open CCleaner. On the Windows tab, leave the default options alone.

  • On the Applications tab, check (tick) all the boxes except Saved Form Information. This will remove all your saved passwords if you leave this box checked.
  • Click on the Run Cleaner button at the bottom right hand corner.
  • When the cleaner has completed, click Tools in the Left Pane.
  • Verify that Uninstall is highlighted in color, or click on it.
  • In the lower right, click Save to Text File.
  • Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
  • You can leave the filename as install.txt.
  • Click Save, then exit Ccleaner.
_______________________________

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix (C:\Combofix.txt) when you've accomplished that, along with a new HijackThis log and the CCleaner Uninstall List (install.txt)
Trained at Malware Removal University - A Cooperative Effort with WhatTheTech Classroom.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

#3 mucksava

mucksava

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 18 February 2008 - 01:33 PM

Thanks a lot for helping me out with this. I really appreciate it. I saw a lot of other people using combofix, so I ran it last night. Anyway, I used the cclean, then ran combofix again and hijack this. all the logs are below:



cclean:

<no name>
Adobe Acrobat Reader 5.0.5
Adobe Flash Player 9 ActiveX
America Online
aspi
CCHelp
CCleaner (remove only)
CCScore
Cisco Systems VPN Client 5.0.01.0600
Compaq A3000
CorporateTime 6.0
CR2
Dell ResourceCD
Easy CD Creator 5 Basic
EndNote 9
ESSAdpt
ESSANUP
ESSBrwr
ESSCAM
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSTUTOR
ESSvpaht
ESSvpot
Eudora 5.1.3
FileZilla 1.9.9
FRED
Google Toolbar for Internet Explorer
Google Updater
HeartCode Inhospital
HijackThis 1.99.1
Hummingbird HostExplorer
Intel® Extreme Graphics Driver
Intel® PRO Ethernet Adapter and Software
Intercooled Stata 8 for Windows
Internet Explorer Q831167
ISI ResearchSoft - Export Helper
J2SE Runtime Environment 5.0 Update 1
Java 2 Runtime Environment Standard Edition v1.3.1_05
JMPIN
Juniper Networks Secure Application Manager
Kaspersky Online Scanner
Kodak EasyShare software
KODAK Picture CD
KSU
Leash32 2.1.2 for Windows
LimeWire 4.8.1
LiveUpdate 1.7 (Symantec Corporation)
Macromedia Shockwave Player
MetaFrame Presentation Server Web Client for Win32
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft ActiveSync 3.7
Microsoft Data Access Components KB870669
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft Office XP Professional with FrontPage
Microsoft Text-to-Speech Engine 4.0 (English)
Mozilla Firefox (2.0.0.11)
Netscape 6.2.3
Nortel Networks Contivity VPN Client
Norton AntiVirus Corporate Edition
Notifier
NVIDIA Windows 2000/XP Display Drivers
Oracle JInitiator 1.1.8.11
OTtBP
Outlook Express Q837009
PCDLNCH
PowerDVD
program files
QuickTime
RealPlayer Basic
SecureCRT 3.4.6
SFR
SFR2
SoundMAX
SoundMAX WDM Driver
Spyware Doctor 5.5
Ulead Photo Express 4.0 My Custom Edition
Verizon Online
Verizon Online Support Center
Viewpoint Media Player (Remove Only)
WebFldrs XP
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Hotfix [See wm828026 for more information]
Windows XP Hotfix - KB810217
Windows XP Hotfix - KB821557
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB823980
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB824146
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix (SP2) [See Q329048 for more information]
Windows XP Hotfix (SP2) [See Q329115 for more information]
Windows XP Hotfix (SP2) [See Q329390 for more information]
Windows XP Hotfix (SP2) [See Q329834 for more information]
Windows XP Hotfix (SP2) Q328310
Windows XP Hotfix (SP2) Q329170
Windows XP Hotfix (SP2) Q329441
Windows XP Hotfix (SP2) Q331953
Windows XP Hotfix (SP2) Q810565
Windows XP Hotfix (SP2) Q810577
Windows XP Hotfix (SP2) Q810833
Windows XP Hotfix (SP2) Q811493
Windows XP Hotfix (SP2) Q814033
Windows XP Hotfix (SP2) Q815021
Windows XP Hotfix (SP2) Q817287
Windows XP Hotfix (SP2) Q817606
Windows XP Hotfix (SP2) Q819696
Windows XP Service Pack 1 (1033)
WinVNC 3.3.3


ComboFix 08-02-18.1 - Megan Wolfe 2008-02-18 14:11:12.3 - NTFSx86
Running from: C:\Documents and Settings\Megan Wolfe\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-01-18 to 2008-02-18 )))))))))))))))))))))))))))))))
.

2008-02-18 13:51 . 2008-02-18 13:51 <DIR> d-------- C:\Program Files\CCleaner
2008-02-18 07:43 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-02-18 07:43 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-02-17 23:03 . 2008-02-17 23:03 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-17 23:03 . 2008-02-17 23:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-17 22:01 . 2008-02-17 22:01 <DIR> d-------- C:\Documents and Settings\Megan Wolfe\Application Data\Talkback
2008-02-17 08:53 . 2008-02-18 13:25 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-17 08:52 . 2008-02-18 13:33 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-02-17 08:52 . 2008-02-17 08:52 <DIR> d-------- C:\Documents and Settings\Megan Wolfe\Application Data\PC Tools
2008-02-17 08:52 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-02-17 08:52 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-02-17 08:52 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-02-17 08:52 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-02-17 08:47 . 2008-02-17 22:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-02-17 01:17 . 2008-02-17 01:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Juniper Networks
2008-02-17 00:44 . 2008-02-17 07:40 2,042 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-17 00:43 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-17 00:43 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-17 00:43 . 2008-02-16 19:46 85,504 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-17 00:43 . 2008-02-08 10:37 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-17 00:43 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-17 00:43 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-17 00:43 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-16 22:41 . 2008-02-16 22:41 181,965 --a------ C:\WINDOWS\system32\L63DB.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-18 02:35 --------- d-----w C:\Program Files\UPHS VPN
2008-02-17 23:57 --------- d-----w C:\Program Files\NavNT
2008-02-17 15:12 --------- d-----w C:\Program Files\Google
2008-02-17 15:00 145,408 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe
2008-02-17 13:29 145,408 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig .exe
2008-02-17 03:49 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-02-15 02:00 --------- d-----w C:\Documents and Settings\Megan Wolfe\Application Data\EndNote
2008-01-15 22:50 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Juniper Networks
2008-01-14 03:31 --------- d-----w C:\Documents and Settings\Megan Wolfe\Application Data\Viewpoint
2008-01-14 03:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-12 16:17 --------- d-----w C:\Documents and Settings\Megan Wolfe\Application Data\ICAClient
2008-01-12 16:16 --------- d-----w C:\Program Files\Neoteris
2008-01-12 16:16 --------- d-----w C:\Documents and Settings\Megan Wolfe\Application Data\Juniper Networks
2004-01-24 04:07 20,040 -c--a-w C:\Documents and Settings\Megan Wolfe\Application Data\GDIPFONTCACHEV1.DAT
2003-01-15 14:29 1,816 -c--a-w C:\Program Files\INSTALL.LOG
.
<pre>
----a-w		   145,408 2008-02-17 13:29:10  C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\Program Files\NavNT\vptray.exe" [ ]
"QuickTime Task"="C:\WINDOWS\System32\qttask.exe" [ ]
"WinVNC"="C:\vnc\WinVNC.exe" [ ]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [ ]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [ ]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-06-24 18:32 4800512]
"CTPDPSRV"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE" [ ]
"Motive SmartBridge"="C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe" [ ]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [ ]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.exe" [2008-02-17 10:00 145408]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Compaq A3000 Settings Utility.lnk - C:\Program Files\Compaq A3000\CPQA3000.exe [2004-05-21 10:33:49 1142784]
Verizon Online Support Center.lnk - C:\Program Files\Verizon Online\bin\matcli.exe [2005-07-14 18:35:36 204800]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [2002-04-04 14:00 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-583907252-1708537768-1417001333-13306\Scripts\Logon\0\0]
"Script"=\\med.upenn.edu\netlogon\audit.cmd

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 7.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 7.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=C:\WINDOWS\pss\VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acut]
C:\DOCUME~1\MEGANW~1\APPLIC~1\FNTS~1\wuauboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a--c--- 2002-10-02 17:41 684032 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AltnetPointsManager]
c:\program files\altnet\points manager\points manager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HaertCodeUpdateAgent]
--a------ 2003-11-03 02:11 954507 D:\Program Files\HeartCode Inhospital\UpdateAgent\HeartCodeUpdateAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
C:\Program Files\Spyware Doctor\pctsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\System32\ddcdc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp10.0]
--a--c--- 2001-07-25 09:00 241714 C:\Program Files\Microsoft Money\System\Activation.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetZero_uoltray]
C:\Program Files\NetZero\exec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a--c--- 2003-06-24 18:32 323584 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking]
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a--c--- 2003-08-13 18:37 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchUpgrader]
C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spc_w]
C:\Program Files\NZSearch\nzspc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2004-12-06 20:31 36975 C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Trickler]
c:\windows\temp\adware\fsg_4104.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zrhrpzqr]
C:\WINDOWS\F?nts\j?vaw.exe

R1 NEOFLTR_530_10641;Juniper Networks TDI Filter Driver (NEOFLTR_530_10641);C:\WINDOWS\System32\Drivers\NEOFLTR_530_10641.SYS [2006-04-27 00:40]
R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\System32\DRIVERS\eacfilt.sys [2002-04-22 13:50]
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\System32\DRIVERS\ipsecw2k.sys [2002-04-30 22:16]
R3 maestro;ESS Maestro 3 Audio Driver (WDM);C:\WINDOWS\System32\drivers\es198x.sys [2001-08-17 11:19]
S2 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\System32\DRIVERS\ipsecw2k.sys [2002-04-30 22:16]
S3 ati2mpaa;ati2mpaa;C:\WINDOWS\System32\DRIVERS\ati2mpaa.sys [2001-08-17 07:48]
S3 gUSBSTOi;gUSBSTOi;C:\DOCUME~1\MEGANW~1\LOCALS~1\Temp\gUSBSTOi.sys []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-18 14:15:20
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\NavLogon.dll
.
Completion time: 2008-02-18 14:18:13
ComboFix-quarantined-files.txt 2008-02-18 19:18:05
ComboFix2.txt 2008-02-18 00:32:47
.
2008-02-18 02:10:04 --- E O F ---






Logfile of HijackThis v1.99.1
Scan saved at 2:19:34 PM, on 2/18/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Compaq A3000\CPQA3000.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\WINDOWS\explorer.exe
D:\Phillip\Virus stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.upenn.edu/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape6%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Megan Wolfe\Application Data\Mozilla\Profiles\default\g88i87zx.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\ActiveX\ACROIE~1.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [WinVNC] "C:\vnc\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Compaq A3000 Settings Utility.lnk = C:\Program Files\Compaq A3000\CPQA3000.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\samnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\samnsp.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\PLUGINS\NPDocBox.dll
O15 - Trusted Zone: http://mwebpah.uphs.upenn.edu
O16 - DPF: Cab-package - http://uphsnet.uphs....vex/mv_cert.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1203260859339
O16 - DPF: {6FE450DC-AD32-48D4-A366-01EE7E0B1374} - http://uphsnet.uphs....vex/capicom.cab
O16 - DPF: {86ecb6a0-400a-11d5-b638-00c04faedb18} -
O16 - DPF: {A8B3A7FE-9C8D-4F15-9B01-8805BDF43B1B} (AMI Pictorial Control CWeb 2.1 SPa06) - http://cenweb.uphs.u...l/amiviewer.cab
O16 - DPF: {D98F5BFB-D1E2-428F-B415-64DE948DE12D} - http://cenweb.uphs.u...l/amiviewer.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://extranet.uph...uniperSetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E7477E7-86C8-42C2-8695-D412071F139F}: NameServer = 71.242.0.12 71.250.0.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{D7E1ACC9-8671-4D19-89D9-53388D88E34A}: NameServer = 128.91.2.13,128.91.254.1,128.91.254.4
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\vnc\WinVNC.exe" -service (file missing)

#4 Simon V.

Simon V.

    MRU Emeritus

  • Authentic Member
  • PipPipPipPip
  • 897 posts

Posted 18 February 2008 - 01:46 PM

Hi :)

I saw a lot of other people using combofix, so I ran it last night.

Looks like you run a few other tools as well. Please don't run anything else unless instructed to do so.

I understand that downloading music and other files may be important to you; however, the Peer-to-Peer programs that you are using to do that, even if they are not infected with malware, will bring malware into your system. Therefore, the chances of you becoming infected again are very high. This obviously can result in disabling your computer and could even lead to someone stealing sensitive personal data from your computer. Beyond the inconvenience this causes you, these programs also tend to use your computer as a server to spread more infection all over the internet, so your computer becomes a part of the malware problem.

Remember that no matter how clean the program you're using for Peer-to-Peer filesharing may be, it offers no guarantees regarding the cleanliness of files you may choose to download. All files available via Peer-to-Peer filesharing carry a high risk, particularly those that offer you illegitimate methods of using legitimate software programs without paying for them. Any program or file that offers you the ability to access non-freeware programs at no cost, e.g., pirated software and/or cracks/key generators for gaining access to legitimate software, is 100% guaranteed to contain malware.

Here is some information that looks at the rates of infection:

http://www.benedelman.org/spyware/p2p/

With that being said, I recommend that you remove the following Peer-to-Peer program(s):

(Click on Start, then Control Panel. Double click on Add or Remove Programs)

LimeWire 4.8.1

Also remove the following programs -

J2SE Runtime Environment 5.0 Update 1
Java 2 Runtime Environment Standard Edition v1.3.1_05
Viewpoint Media Player (Remove Only) <-- Only remove this program if you haven't installed it yourself.

Then download and install Java Runtime Environment (JRE) 6 Update 4.

Step 1

Open Notepad (Go to Start > Run, type Notepad and hit Enter), and copy/paste the text in the quotebox below into it:

File::

C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig .exe

Folder::

Registry::

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acut]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AltnetPointsManager]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetZero_uoltray]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchUpgrader]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spc_w]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Trickler]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zrhrpzqr]

Driver::

gUSBSTOi

Click on File > Save as....

In the File Name box, copy/paste CFScript.txt (Note: Do not change the filename!)

Click Save (Save the CFScript in the same location as Combofix.exe)

Close any open windows.

Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe.
It will create a log. Be sure to save it to a convenient location.

Step 2

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • You can also access the log by doing the following:

  • Click on the Malwarebytes' Anti-Malware icon to launch the program.
  • Click on the Logs tab.
  • Click on the log at the bottom of those listed to highlight it.
  • Click Open.

Step 3

In your next reply, please post:

  • the Combofix log (C:\Combofix.txt)
  • the Malwarebytes' Anti-Malware log
  • a new HijackThis log

Trained at Malware Removal University - A Cooperative Effort with WhatTheTech Classroom.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

#5 mucksava

mucksava

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 18 February 2008 - 04:13 PM

ok, I deleted the files and updated JAVA: below are the new logs,

ComboFix 08-02-18.1 - Megan Wolfe 2008-02-18 16:13:51.4 - NTFSx86
Running from: C:\Documents and Settings\Megan Wolfe\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Megan Wolfe\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig .exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig .exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_GUSBSTOI
-------\gUSBSTOi


((((((((((((((((((((((((( Files Created from 2008-01-18 to 2008-02-18 )))))))))))))))))))))))))))))))
.

2008-02-18 16:06 . 2008-02-18 16:06 <DIR> d-------- C:\Program Files\Sun
2008-02-18 16:06 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-18 15:56 . 2008-02-18 16:06 <DIR> d-------- C:\Program Files\Java
2008-02-18 15:46 . 2008-02-18 15:46 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-18 13:51 . 2008-02-18 13:51 <DIR> d-------- C:\Program Files\CCleaner
2008-02-18 07:43 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-02-18 07:43 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-02-17 23:03 . 2008-02-17 23:03 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-17 23:03 . 2008-02-17 23:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-17 22:01 . 2008-02-17 22:01 <DIR> d-------- C:\Documents and Settings\Megan Wolfe\Application Data\Talkback
2008-02-17 08:53 . 2008-02-18 13:25 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-17 08:52 . 2008-02-18 13:33 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-02-17 08:52 . 2008-02-17 08:52 <DIR> d-------- C:\Documents and Settings\Megan Wolfe\Application Data\PC Tools
2008-02-17 08:52 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-02-17 08:52 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-02-17 08:52 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-02-17 08:52 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-02-17 08:47 . 2008-02-17 22:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-02-17 01:17 . 2008-02-17 01:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Juniper Networks
2008-02-17 00:44 . 2008-02-17 07:40 2,042 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-17 00:43 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-17 00:43 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-17 00:43 . 2008-02-16 19:46 85,504 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-17 00:43 . 2008-02-08 10:37 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-17 00:43 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-17 00:43 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-17 00:43 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-16 22:41 . 2008-02-16 22:41 181,965 --a------ C:\WINDOWS\system32\L63DB.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-18 20:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-18 02:35 --------- d-----w C:\Program Files\UPHS VPN
2008-02-17 23:57 --------- d-----w C:\Program Files\NavNT
2008-02-17 15:12 --------- d-----w C:\Program Files\Google
2008-02-17 03:49 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-02-15 02:00 --------- d-----w C:\Documents and Settings\Megan Wolfe\Application Data\EndNote
2008-01-15 22:50 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Juniper Networks
2008-01-14 03:31 --------- d-----w C:\Documents and Settings\Megan Wolfe\Application Data\Viewpoint
2008-01-14 03:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-12 16:17 --------- d-----w C:\Documents and Settings\Megan Wolfe\Application Data\ICAClient
2008-01-12 16:16 --------- d-----w C:\Program Files\Neoteris
2008-01-12 16:16 --------- d-----w C:\Documents and Settings\Megan Wolfe\Application Data\Juniper Networks
2004-01-24 04:07 20,040 -c--a-w C:\Documents and Settings\Megan Wolfe\Application Data\GDIPFONTCACHEV1.DAT
2003-01-15 14:29 1,816 -c--a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\Program Files\NavNT\vptray.exe" [ ]
"QuickTime Task"="C:\WINDOWS\System32\qttask.exe" [ ]
"WinVNC"="C:\vnc\WinVNC.exe" [ ]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [ ]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [ ]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-06-24 18:32 4800512]
"CTPDPSRV"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE" [ ]
"Motive SmartBridge"="C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe" [ ]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [ ]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.exe" [2008-02-17 10:00 145408]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Compaq A3000 Settings Utility.lnk - C:\Program Files\Compaq A3000\CPQA3000.exe [2004-05-21 10:33:49 1142784]
Verizon Online Support Center.lnk - C:\Program Files\Verizon Online\bin\matcli.exe [2005-07-14 18:35:36 204800]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [2002-04-04 14:00 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-583907252-1708537768-1417001333-13306\Scripts\Logon\0\0]
"Script"=\\med.upenn.edu\netlogon\audit.cmd

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 7.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 7.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=C:\WINDOWS\pss\VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a--c--- 2002-10-02 17:41 684032 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HaertCodeUpdateAgent]
--a------ 2003-11-03 02:11 954507 D:\Program Files\HeartCode Inhospital\UpdateAgent\HeartCodeUpdateAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp10.0]
--a--c--- 2001-07-25 09:00 241714 C:\Program Files\Microsoft Money\System\Activation.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a--c--- 2003-06-24 18:32 323584 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a--c--- 2003-08-13 18:37 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe

R1 NEOFLTR_530_10641;Juniper Networks TDI Filter Driver (NEOFLTR_530_10641);C:\WINDOWS\System32\Drivers\NEOFLTR_530_10641.SYS [2006-04-27 00:40]
R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\System32\DRIVERS\eacfilt.sys [2002-04-22 13:50]
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\System32\DRIVERS\ipsecw2k.sys [2002-04-30 22:16]
R3 maestro;ESS Maestro 3 Audio Driver (WDM);C:\WINDOWS\System32\drivers\es198x.sys [2001-08-17 11:19]
S2 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\System32\DRIVERS\ipsecw2k.sys [2002-04-30 22:16]
S3 ati2mpaa;ati2mpaa;C:\WINDOWS\System32\DRIVERS\ati2mpaa.sys [2001-08-17 07:48]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-18 16:21:06
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\Imapi.exe
.
**************************************************************************
.
Completion time: 2008-02-18 16:26:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-18 21:25:59
ComboFix2.txt 2008-02-18 19:18:15
ComboFix3.txt 2008-02-18 00:32:47
.
2008-02-18 02:10:04 --- E O F ---








Malwarebytes' Anti-Malware 1.03
Database version: 374

Scan type: Quick Scan
Objects scanned: 24833
Time elapsed: 8 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions\{59a40ac9-e67d-4155-b31d-4b7330fcd2d6} (Adware.PurityScan) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)







Logfile of HijackThis v1.99.1
Scan saved at 5:06:46 PM, on 2/18/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Compaq A3000\CPQA3000.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Phillip\Virus stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.upenn.edu/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape6%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Megan Wolfe\Application Data\Mozilla\Profiles\default\g88i87zx.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\ActiveX\ACROIE~1.OCX
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [WinVNC] "C:\vnc\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Compaq A3000 Settings Utility.lnk = C:\Program Files\Compaq A3000\CPQA3000.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\samnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\samnsp.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\PLUGINS\NPDocBox.dll
O15 - Trusted Zone: http://mwebpah.uphs.upenn.edu
O16 - DPF: Cab-package - http://uphsnet.uphs....vex/mv_cert.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1203260859339
O16 - DPF: {6FE450DC-AD32-48D4-A366-01EE7E0B1374} - http://uphsnet.uphs....vex/capicom.cab
O16 - DPF: {86ecb6a0-400a-11d5-b638-00c04faedb18} -
O16 - DPF: {A8B3A7FE-9C8D-4F15-9B01-8805BDF43B1B} (AMI Pictorial Control CWeb 2.1 SPa06) - http://cenweb.uphs.u...l/amiviewer.cab
O16 - DPF: {D98F5BFB-D1E2-428F-B415-64DE948DE12D} - http://cenweb.uphs.u...l/amiviewer.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://extranet.uph...uniperSetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E7477E7-86C8-42C2-8695-D412071F139F}: NameServer = 71.242.0.12 71.250.0.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{D7E1ACC9-8671-4D19-89D9-53388D88E34A}: NameServer = 128.91.2.13,128.91.254.1,128.91.254.4
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\vnc\WinVNC.exe" -service (file missing)

#6 Simon V.

Simon V.

    MRU Emeritus

  • Authentic Member
  • PipPipPipPip
  • 897 posts

Posted 19 February 2008 - 12:24 AM

Hi :)

Open HijackThis, perform a scan and put a check next to the following items (if present):

O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {86ecb6a0-400a-11d5-b638-00c04faedb18} -

Close all programs except HijackThis and click on Fix checked.

In your next reply, please let me know how your computer is currently running.
Trained at Malware Removal University - A Cooperative Effort with WhatTheTech Classroom.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

#7 mucksava

mucksava

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 19 February 2008 - 06:39 PM

HI :scratch: I checked all the items on hijackthis, and fixed them. The computer seems to be working fine, no more popups, not as slow as before. The only thing wrong with it now is everytime I click on internet explorer or a microsoft office application (powerpoint, excel, word,...) windows installer starts and tries to configure "office xp with frontpage". that started when I got the virus. I usual click cancel, it goes away after a while (it sometimes takes a few cancels to get it to stop coming up) and the program finishes loading and works fine. When I let it run to see what happens it states I need to install a windows file from the service pack. eg "Windows XP Professional Service Pack 1 CD " to proceed with the installation. I tried the CD my computer came with but that didn't work. I tried to get all the updates for windows, but some of them won't install and the automatic windows updates keeps saying I have updates to install. Other programs like Acrobat, Mozilla aren't affected. Well, other than that, which is mildly annoying, it seems to be working ok.

#8 Simon V.

Simon V.

    MRU Emeritus

  • Authentic Member
  • PipPipPipPip
  • 897 posts

Posted 20 February 2008 - 12:32 AM

Hi :)

You can try completely reinstalling Microsoft Office, that may fix your problem.

I'm not an expert on Windows updates, there are other people here at WhatTheTech that specialize in general computer problems > http://forums.whatth...ndows_f119.html. You can ask for help there on the problems you are experiencing with the Windows updates.

As your logs looks clean, here are some tips to keep your computer clean in the future:

You can now delete the following program(s):

Click Start then Run....

  • Type Combofix /u in the runbox and click OK. (Note: The space between the x and the /u needs to be there)

    Posted Image

  • This will uninstall Combofix.

Make your Internet Explorer More Secure

  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab.
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.

  • Change the Download signed ActiveX controls to Prompt.
  • Change the Download unsigned ActiveX controls to Disable.
  • Change the Initialise and script ActiveX controls not marked as safe to Disable.
  • Change the Installation of desktop items to Prompt.
  • Change the Launching programs and files in an IFRAME to Prompt.
  • Change the Navigate sub-frames across different domains to Prompt.
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.

  • Next press the Apply button and then the OK to exit the Internet Properties page.

Use a Firewall - Without a firewall your computer is susceptible to being hacked and taken over. The Windows firewall isn't sufficient as it only monitors incoming connections.

Here are a few (free) firewalls, please download and install one of them:


Visit Microsoft's Update Site Frequently - It is important that you visit http://update.microsoft.com/ regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install WinPatrol - An excellent startup manager, notifies you if programs are added to startup, allows delayed startup, ... A must have! An installation guide can be found here: http://www.winpatrol.com/download.html

Install Spybot - Search and Destroy - You should scan your computer with the program on a regular basis just as you would with your anti-virus software. A tutorial on installing and using this product can be found here (do not install TeaTimer): http://www.bleepingc...tutorial43.html

Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A tutorial can be found here: http://www.bleepingc...tutorial49.html

Install IE-Spyad - IE-Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here: http://www.spywarewa...rce.htm#IESPYAD

Update All Your Security Programs Regularly - Make sure you update all your security programs (Anti-Virus, Firewall, Anti-Spyware) regularly (once a weak, at least). Without regular updates you WILL NOT be protected when new malicious programs are released.

You can also read this excellent article by TonyKlein: So how did I get infected in the first place?

Follow this list and your potential for being infected again will reduce dramatically.

Stand Up and Be Counted! - Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints: Malware Complaints. You have to be registered to post. After registering just find your country room and register your complaint. The infection you had was Vundo (Virtumundo).
Trained at Malware Removal University - A Cooperative Effort with WhatTheTech Classroom.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

#9 mucksava

mucksava

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 20 February 2008 - 05:12 PM

Thanks again. I really appreciate all your help.

#10 Simon V.

Simon V.

    MRU Emeritus

  • Authentic Member
  • PipPipPipPip
  • 897 posts

Posted 21 February 2008 - 12:10 AM

Thanks again. I really appreciate all your help.

You're very welcome, glad I could be of assisance :)

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.


Edited by Simon V., 21 February 2008 - 12:10 AM.

Trained at Malware Removal University - A Cooperative Effort with WhatTheTech Classroom.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·